US-CERT put out three vulnerability notes related to the GE Fanuc issues discussed in Eyal Udassin’s S4 paper. Eyal works for C4 in Israel. These issues had been reported to vendor almost a year ago and had been closely coordinated with CERT’s in the US and Israel.

What makes these even more interesting than just another case of a software bug leading to an exploitable vulnerability is they are vivid examples of how attackers get through even well designed and implemented security perimeters.

Proficy Information Portal - - Attack through the enterprise/control center firewall

Someone at S4, and I can’t remember who, said firewall is really a bad name for the device that forms the perimeter because a firewall allows approved communication through. if nothing is allowed through the firewall, you would not have a connection (air-gap) between the two networks. Even a well configured, least privilege ruleset will have holes through the firewall that an attacker can try to leverage.

VU#180876 and VU#339345 deal with the Proficy Information Portal which is often located in a DMZ to allow enterprise users to to SCADA and DCS information. They allow an attacker on the enterprise network to own the Proficy Information Portal, and then launch attacks on the systems in the control center from the DMZ.

From VU#339345:

GE Fanuc Proficy Information Portal allows authenticated users to upload arbitrary files. An attacker could upload an executable server-side script (e.g., an .asp shell on a Microsoft Internet Information Server platform) and execute arbitrary commands with the privileges of the web server.

So the only remaining requirement to own the server is becoming an authenticated user. There is a good chance that many, if not most or all of an asset owners enterprise users could legitimately be an authenticated user. Especially if the asset owner leverages Active Directory for Proficy authentication. So a disgruntled insider without rights to the control center could launch this attack.

The vulnerability in VU#180876 shows how an attacker can obtain credentials. The login credentials are sent in plaintext, only Base64 encoded. Anyone able to intercept enterprise traffic could capture credentials that would allow them to upload arbitrary files.

If these are the same credentials used in Active Directory then the user is also compromised on the the enterprise network.

Attack from an IP Connected Field Site

We have long advised that SCADA asset owners need to pay security attention to remote field sites with IP connections to the control center; we even did a presentation on this topic at Distributech two years ago . A savy attacker wouldn’t bother to try to physically access the network in a 24×7 manned control center with physical protection when she can break into a remote, unmanned site and hack away at her leisure.

Eyal’s heap buffer overflow vulnerability, VU 308556, of GE Fanuc’s Cimplicity demonstrates how this would be done. With remote control of the HMI, an attacker could affect the entire control system from one field site - - in addition to launching attacks from the compromised system to other control systems workstations and servers.

Writing heap buffer overflow exploits is not an easy task. It requires a lot of skill and days or weeks to accomplish. The exploit has not been made available, but it was demonstrated.

Finally, it is important to not draw the wrong conclusion from this. The wrong conclusion would be to think that the GE Fanuc products are less secure than other systems. All these products have vulnerabilities. The key is to understand and evaluate the vendor’s security development lifecycle, which can significantly reduce the vulnerabilities, and how they respond to identified vulnerabilities.

Hearing the experience second hand, it sounds like GE Fanuc started typical and then did better than most. At the start it was very hard to find the right person who would understand the issue and do something about it. After many months this happened, and then GE Fanuc began to take action on compensating controls and developing patches to remove the vulnerabilities. This is better than most. All too often vendors choose to never take action or only take action if the fix is paid for by a customer.